Notice of Privacy Practices Template

Generate a compliant HIPAA Notice of Privacy Practices in minutes. Enter your practice details and privacy officer contact — the NPP generates instantly, based on the HHS model notice. Ready to print, copy, or post on your website.

Pre-filled with a realistic example. Edit any field below — the Notice of Privacy Practices updates in real time.

Covered Entity Information

Practice / Organization Name

Street Address

City

State

ZIP

Phone

Fax

Website (optional)

Practice Type

Privacy Officer Contact

The designated contact for privacy questions and complaints.

Full Name

Title

Phone

Notice Options

Effective Date

Optional Sections

Include research uses/disclosuresInclude fundraising communicationsInclude substance use disorder (SUD) records section (required as of Feb 2026)

Notice of Privacy Practices

Pursuant to the HIPAA Privacy Rule — 45 CFR §§ 164.520

Lakewood Family Medicine

1200 Oak Street, Suite 300, Denver, CO 80220

Phone: (303) 555-0142 | Fax: (303) 555-0143

Effective Date: March 9, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Lakewood Family Medicine is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to maintain the privacy of your protected health information (PHI) and to provide you with this notice explaining our legal duties and privacy practices. We are required to abide by the terms of this notice as currently in effect.

How We May Use and Disclose Your Health Information

For Treatment

We may use your health information to provide, coordinate, or manage your healthcare and related services. For example, we may share your information with a specialist to whom we refer you, a pharmacy filling your prescription, or a laboratory performing tests ordered by your provider.

For Payment

We may use and disclose your health information to bill and collect payment for the services we provide. For example, we may send a claim to your health insurance plan that includes information identifying you, your diagnosis, and the treatment provided.

For Healthcare Operations

We may use and disclose your health information for activities necessary to run Lakewood Family Medicine and ensure quality care. This includes quality assessment, employee training, accreditation, licensing, credentialing, and conducting or arranging for business management and general administrative activities.

Other Uses and Disclosures Without Your Authorization

We may also use or disclose your health information without your written authorization for the following purposes, as permitted or required by law:

As required by law — when federal, state, or local law requires disclosure.
Public health activities — to public health authorities for preventing disease, injury, or disability; reporting births, deaths, or suspected abuse/neglect.
Health oversight activities — to a health oversight agency for audits, investigations, inspections, or licensing.
Judicial and administrative proceedings — in response to a court order or, in certain cases, a subpoena.
Law enforcement purposes — as required by law or in response to a valid court order, warrant, or administrative request.
Coroners, funeral directors, organ donation — to identify a deceased person, determine cause of death, or facilitate organ/tissue donation.
Workers' compensation — as authorized by workers' compensation laws.
Serious threats to health or safety — to prevent or lessen a serious and imminent threat to a person or the public.
Military and veterans — if you are a member of the armed forces, as required by military command authorities.
Inmates — if you are an inmate of a correctional institution, for the institution's provision of healthcare, safety, or security.

Substance Use Disorder (SUD) Records

As of February 16, 2026, federal regulations (42 CFR Part 2) align SUD patient records more closely with HIPAA. If we maintain substance use disorder treatment records, those records receive the same protections described in this notice. We will not use or disclose SUD records for civil, criminal, administrative, or legislative proceedings against you without your written consent, except as permitted by law. Any unauthorized re-disclosure of SUD records is prohibited by federal law.

Uses and Disclosures Requiring Your Written Authorization

We will obtain your written authorization before using or disclosing your health information for purposes not described in this notice. Specifically, we must have your authorization for:

Most uses and disclosures of psychotherapy notes
Uses and disclosures for marketing purposes
Disclosures that constitute a sale of your health information
Any other uses and disclosures not described in this notice

You may revoke any authorization you provide, in writing, at any time. Revocation will not affect any actions already taken in reliance on the authorization.

Your Rights Regarding Your Health Information

Right to Access

You have the right to inspect and obtain a copy of your health information maintained by us, including medical and billing records. We may charge a reasonable, cost-based fee for copies. We must respond within 30 days (one 30-day extension permitted).

Right to Amend

You have the right to request an amendment to your health information if you believe it is incorrect or incomplete. We may deny the request in certain circumstances but must provide a written explanation.

Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your health information. This does not include disclosures for treatment, payment, or healthcare operations, or disclosures you authorized in writing.

Right to Request Restrictions

You have the right to request that we limit how we use or disclose your health information for treatment, payment, or healthcare operations. We are not required to agree except when you request we not disclose information to your health plan for services you paid for in full out of pocket.

Right to Confidential Communications

You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you may ask that we contact you only by mail or at a specific phone number.

Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice of Privacy Practices at any time, even if you have previously agreed to receive it electronically.

Right to Be Notified of a Breach

You have the right to be notified if there is a breach of your unsecured protected health information. We will notify you in writing without unreasonable delay and no later than 60 days after discovery of the breach.

Our Duties

Lakewood Family Medicine is required by law to:

Maintain the privacy of your protected health information.
Provide you with this notice of our legal duties and privacy practices with respect to your health information.
Follow the terms of the notice that is currently in effect.
Notify you if we are unable to agree to a requested restriction on how your information is used or disclosed.
Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

We reserve the right to change the terms of this notice and to make new provisions effective for all protected health information we maintain. If we revise this notice, we will make the revised notice available upon request and post it in our facility.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with Lakewood Family Medicine or with the U.S. Department of Health and Human Services.

To file with us: Contact Sarah Chen, HIPAA Privacy Officer, at (303) 555-0144 or email privacy@lakewoodfamilymed.com.

To file with HHS: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201. Call 1-877-696-6775 or visit www.hhs.gov/ocr/privacy/hipaa/complaints.

You will not be penalized or retaliated against for filing a complaint.

Contact Information

Lakewood Family Medicine

1200 Oak Street, Suite 300, Denver, CO 80220

Phone: (303) 555-0142 | Fax: (303) 555-0143

Privacy Officer

Sarah Chen, HIPAA Privacy Officer

Phone: (303) 555-0144 | Email: privacy@lakewoodfamilymed.com

Acknowledgment of Receipt

I acknowledge that I have received a copy of the Notice of Privacy Practices for Lakewood Family Medicine.

Patient / Authorized Representative Signature

Date

Printed Name of Patient

If Representative: Relationship to Patient

What Is a Notice of Privacy Practices?

A Notice of Privacy Practices (NPP) is a document that every HIPAA covered entity must provide to patients. Required under 45 CFR § 164.520, the NPP explains how the practice may use and disclose protected health information (PHI), what rights patients have over their records, and how to file a complaint if they believe their privacy has been violated.

The NPP is different from a HIPAA authorization form — the NPP is a one-way informational document from the practice to the patient, while an authorization is a patient-signed permission for a specific disclosure. Every practice needs both.

What Must an NPP Include?

The Privacy Rule at 45 CFR § 164.520(b) specifies the required content. An NPP that omits any required element is non-compliant and may trigger enforcement action from the Office for Civil Rights (OCR).

Required Section	What It Covers
Uses & disclosures for TPO	How PHI may be used for treatment, payment, and healthcare operations
Other permitted uses	Disclosures for public health, law enforcement, judicial proceedings, etc.
Authorization-required uses	Psychotherapy notes, marketing, sale of PHI
Patient rights	Access, amendment, accounting, restrictions, confidential communications, breach notification
Practice duties	Legal obligations to maintain privacy and follow the notice
Complaint process	How to file with the practice and with HHS Office for Civil Rights
Contact information	Privacy officer name, title, phone, and email
Effective date	Date the notice takes or took effect

This generator automatically includes all eight required sections. As of February 2026, practices that handle substance use disorder records must also include a 42 CFR Part 2 section explaining how SUD records are protected — enabled by default in our tool.

NPP Distribution Requirements

Creating the notice is only half the requirement. The Privacy Rule also specifies how you must distribute it:

First service delivery

Providers with direct treatment relationships must provide the NPP no later than first service delivery and make a good faith effort to obtain written acknowledgment.

Available on request

The NPP must be available at the provider's office for anyone who asks for a copy.

Posted prominently

A copy must be posted in a clear and prominent location within the facility.

Website posting

If the covered entity has a website, the NPP must be prominently posted and available electronically.

Good faith effort: If a patient refuses to sign the acknowledgment, document the attempt. The NPP is still valid — the acknowledgment is not a condition for treatment.

How to Use This NPP Generator

1
Enter your practice details — Name, address, phone, and fax of the covered entity.
2
Add privacy officer contact — Name, title, phone, and email of the privacy contact.
3
Select options — Include research uses, fundraising, and SUD records as needed.
4
Review the generated notice — The complete NPP appears below, updated in real time.
5
Print or copy — Print for physical distribution or copy to paste into your EHR.

Important: This tool generates a template based on the HHS model NPP. Have your compliance officer or legal counsel review the completed notice before distribution. State laws may require additional provisions — for example, some states have specific language requirements for mental health or HIV/AIDS records.

When Must You Update Your NPP?

The Privacy Rule requires covered entities to promptly revise and redistribute the NPP whenever there is a material change to the uses or disclosures, patient rights, legal duties, or other privacy practices described in the notice.

Trigger	Action Required
New regulation (e.g., 2026 SUD rule)	Update NPP, make available, post revised version
Change in privacy officer	Update contact information in the notice
New uses of PHI (e.g., research)	Add description to the NPP and redistribute
Practice address or name change	Update and re-post; no need to redistribute to all patients

Keep a dated archive of all prior versions. OCR auditors will ask to see your NPP revision history as part of a standard risk assessment or compliance review.

Related Tools & Guides

HIPAA Compliance Checklist

Comprehensive checklist covering all Privacy, Security, and Breach Notification requirements.

HIPAA Release Form Generator

Build a properly formatted HIPAA authorization form for releasing protected health information.

BAA Template Generator

Create a Business Associate Agreement that meets HIPAA requirements.

Who Does HIPAA Apply To?

Understand which entities and individuals are covered by HIPAA regulations.

Patient Bill of Rights

Complete guide to patient rights in healthcare, including HIPAA privacy rights.